In 2018, the California State Legislature passed the groundbreaking California Consumer Privacy Act (CCPA), which will become effective as of January 1, 2020. The law creates a wide range of new rights for California residents and imposes significant compliance and transparency obligations on businesses that collect, store, and use consumer personal information. Commentators have noted that the CCPA draws inspiration in part from another sweeping similar consumer-data protection law—the European Union’s (EU) General Data Protection Regulation (GDPR), which came into effect as of May 25, 2018. The purpose of this article is to examine and summarize the key similarities and differences between the two regulations.
The CCPA
The CCPA applies to companies that do business in California and that buy, share, or sell the personal data of more than 50,000 California residents, that earn more than 50 percent of their revenue from the sale of personal data, and which have an annual revenue of over $25 million. The law’s definition of personal information is broad and includes items such as phone numbers, social security numbers, biometric information, and Internet Protocol (IP) addresses. The law provides California residents with the right to “be forgotten” (e.g., to have their personal information deleted from a business’s database) and the right to opt out of the sale of their information (which is broadly defined to encompass any exchange of consumer information for something of value). The CCPA creates a private right of action and an entitlement to statutory damages for non-compliance and imposes penalties of up to $2,500, increasing to $7,500 for each intentional violation.
The GDPR
The GDPR applies to any entity that collects, stores, or processes the personal data of EU residents or citizens, regardless of the size of the company. That means that it is legally binding for international companies with global operations that offer goods or services to EU residents or citizens, or which monitor the activities of individuals within the EU. The regulation’s definition of personal information encompasses addresses, financial institutional information, blood type, and several other categories. The GDPR grants several rights, including the right to “be forgotten” (deletion of data) and the right of access to information stored and used by companies. Companies found to be in non-compliance can be fined up to 4 percent of their annual gross revenue or €20 million.
Brass Tacks: The Key Takeaways
- Similarities: Both the CCPA and GDPR are designed to encourage and facilitate transparency in data collection and transmission. The laws apply anywhere within the relevant government’s jurisdiction and protect all residents of the relevant jurisdiction (therefore a company need not be based in California or the EU to be subject to these regulations). They are applicable to each occasion where a business interacts with the data of the jurisdiction’s residents. Finally, both laws accord individuals to the right to “be forgotten,” the right to access the information about them that is sold and collected, and to stop the processing of or correct the use of their personal data.
- Differences: In terms of coverage, the GDPR is broader in scope than the CCPA, and encompasses private companies, non-profit organizations, and public bodies and institutions; in contrast, the CCPA is largely confined to for-profit businesses of a threshold size in terms of revenue and scale of operations. While the CCPA applies to “consumers” (e.g., individuals who are California residents), the GDPR applies to “data subjects” (with less clear citizenship or residency requirements). As to exemptions, the CCPA carves out specific categories of data—for example, legally publicly available information, medical information protected under the California Confidentiality of Medical Information Act (CMIA) or the federal Health Insurance Portability and Accountability Act (HIPPA), and data gathered as part of clinical trials. In contrast, the GDPR does not contain any such categorical exclusion. Finally, while the CCPA merely requires that businesses offer consumers the choice to “opt-out” when user information is shared or sold, the GDPR mandates entities to affirmatively obtain user consent (e.g., to “opt-in”) before it can access data.